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Abstract 

> ' 

q ' Commutative encryption is a useful but rather strict notion in cryptography. In 

, this paper, we define a loose variation of commutative encryption-commutativc-likc 

encryption and give an example: the generalization of ElGamal scheme. The application 
of the new variation is also discussed. 
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■ 1. Introduction 

O . Informally, a commutative encryption is a pair of encryption functions / and g such that f(g(v)) = 

g(f(v)). Commutative encryption is extremely useful in modern cryptography since many protocols 
rely on the existence of commutative encryptionfT] [2] |3l H]. However, few encryption schemes are 
known to be commutative. In this paper, we introduce a loose notion of "commutative-like en- 
cryption" and propose a primitive: the generalization of ElGamal. First introduced by ElGamal[2|, 
the ElGamal encryption is one of the most famous public key encryption schemes and has var- 
. ious applications [51 El [5]. Based on ElGamal encryption, this new characterization shares most 

advantages of commutative encryption and ElGamal while the definition itself is not as strict as 
commutative encryption. 
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2. Preliminaries 

We first describe some relevant definitions that would be used in the paper. 
2.1. Commutative encryption 

Our definition of commutative encryption below is similar to the constructions used in [51 UOj and 
others. As showed above, a commutative encryption is a pair of encryption functions / and g such 
that f(g(v)) = g(f(y)). Thus by using the combination f(g(v)) to encrypt v, we can ensure that 
1Z cannot compute the encryption of a value without the help of S. In addition, even though the 
encryption is a combination of two functions, each party can apply their function first and still get 
the same result. 

DEFINITION 1 (Indistinguishability). Let fi^ C {0,l} fc be a finite domain of k -bit numbers. 
Let T>\ = 2?i(f2fc) and T>i = 2?2(^fc) be distributions over fifc. Let Ak{x) be an algorithm that, given 
x G f2fc, returns either true or false. We define distribution Di of random variable x £ D,^ to be 
computationally indistinguishable from distribution D 2 if for any family of polynomial- step (w.r.t. 
k) algorithms A^{x), any positive polynomial p(-), and all sufficiently large k, 

\Pi[A k {x)\x ~ Dx] - Pr[A k (x)\x ~ D 2 ]\ < 



p(k) 



*DAI Wei is at department of computer science and technology, Tsinghua University. 
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where x ~ D denotes that x is distributed according to D, and Pi[Ak(x)] is the probability that Ak(x) 
returns true. 

Throughout this paper, we will use "indistinguishable" as shorthand for "computationally indis- 
tinguishable" . 

DEFINITION 2 (Commutative Encryption). A commutative encryption J- is a computable (in 
polynomial time) function f : Key J-x Dom T — > Dom T , defined on finite computable domains, 
that satisfies all properties listed below. We denote f e (x) = f(e,x), and use "6 r " to mean "is chosen 
uniformly at random from". 

1. Commutative. For all e, e' £ Key T we have 

fe ° fe> = fe< ° fe 

2. Each f e : Dom J- — > Dom J- is a bijection. 

3. The inverse f~ x is also computable in polynomial-time given e. 

4- The distribution of {x, f e (x),y, f e (y)) is indistinguishable from the distribution of {x, f e (x),y, z) , 
where x, y, z 6 r Dom J- and e G r Key T . 

2.2. ElGamal encryption 

We define the ElGamal public-key encryption scheme. The ElGamal encryption scheme is based on 
the Diffic-Hellman assumption and it is a probabilistic encryption scheme, i.e., a specific message 
has many-exponential in the security parameter-possible encryptions. Formally, 

DEFINITION 3 (ElGamal Public-Key Encryption Scheme [TT]) The ElGamal public key 
encryption scheme is defined by a triplet (G, E, D) of probabilistic polynomial time algorithms, with 
the following properties: 

• The system setup algorithm, S, on input 1™, where n is the security parameter, outputs the 
system parameters (P,Q,g), where (P,Q,g) is an instance of the DLP collection, i.e., P is a 
uniformly chosen prime of length P = n + 5 for a specified constant S, and g is a uniformly 
chosen generator of the subgroup Gq of prime order Q of Zp, where Q = (P — l)/"f is prime 
and 7 is a specified small integer. 

• The key generating algorithm, G, on input (P, Q, g), outputs a public key, e = (P, Q, g, y), and 
a private key, d = (P, Q, g, x), where x € r Zq, and y = g x mod P. 

• The encryption algorithm, E, on input (P,Q,g,y) and a message m £ Gq, uniformly selects 
an element k £ r Zq and outputs 

E((P,Q,g,y),m) = (/(mod P),my k (mod P)) 

• The decryption algorithm, D, on input (P,Q,g,x) and a ciphertext (2/1,2/2); outputs 

D((P,g,x),( yi ,y 2 ))=y2(yf)-H^od P) 

3. Re-encryption 

In this section, we present a re-encryption algorithm of ElGamal. Unlike most other schemes, using 
ElGamal encryption we obtain ciphertext (2/1,2/2); m this re-encryption algorithm, we need not to 
encrypt 2/1 and 2/2 respectively, details follow (to simplify the description, we still use the terms 
defined in the previous section): 

• To encrypt the plaintext m (i.e., the "first" encryption step), we use the ElGamal scheme: 

— Key generation: LetxA be the element uniformly chosen from Zq, andyA = g XA mod P. 
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— Encryption: On input (P,Q, <7,2/a) and a message (plaintext) m 6 Gq, uniformly selects 
an element Ua Gr Zq and outputs 

E{{P,Q,g,y A ),m) = (g kA (mod P), my A kA (mod P)) 

• To re-encrypt the plaintext (2/1,2/2) = (g kA (mod P), my A kA (mod P)) (i.e., the re-encryption 
step), we use an algorithm similar to the ElGamal scheme: 

— Key generation: Let xb be the element uniformly chosen from Zq, and ys = g XB mod 
P. 

— Re- encryption: The re-encryption algorithm En, On input (P, Q, </, 2/b) and a ciphertext 
(j/i , j/2) = (g kA (mod P), myA kA (mod P)), uniformly selects an element ks Gr Zq and 
outputs 

E R ((P,Q,g,y B ), yi ,y 2 ) = ( yi ,g kB (mod P), y 2 y B kB (mod P)) 
Note that since (2/1,2/2) = (g kA (mod P), myA kA (mod P)), the ciphertext (after re-encryption) 

is 

E R ((P,Q,g,y B ), yi ,y 2 ) = (g kA (mod P),g ks (mod P), my A kA y B ks (mod P)) 

To simplify, let (01,02,03) = (g kA (mod P), g kn (mod P), myA kA yB kB (mod P)) and so 

Er((P, Q, g, 2/b), (2/1, 2/2)) = (ci,C2,C3). Also, we use Pa and Eb(Ea) to represent the encryption 

and re-encryption processes respectively (with key x a and xb)- 

The decryption is also similar to the ElGama scheme, but need to decrypt twice, details follow: 

• First round: The decryption algorithm, D B , on input (P, Q, g, xb) and a ciphertext (ci, C2, C3), 
outputs 

D B ((P,g,x B ),(ci,C2,c 3 )) = (ci, csic^y 1 (mod P)) 

Now let us see what we obtain after this round: from (01,02,03) = (g kA ( mod P),g ks ( mod P), myA kA yB kB ( mod 
P)) we come up with ci = g kA (mod P) and 

c 3 (cf B )- 1 (mod P) = my k A A (mod P) 

Thus we end up with Db((P, g,XB), (01,02,03)) = (2/1,2/2), using ElGamal scheme we could decrypt 
the ciphertext (2/1,2/2): 

• The decryption algorithm, Da, on input (P,Q,g,XA) o-nd a ciphertext (2/1,2/2), outputs 

D A ((P,g,x A ),(y 1 ,y 2 )) = y 2 (y^ A )-\mod P)(= m) 

In this paper, we directly present a theorem concerning the security of the re-encryption scheme 
without proving it. For the proof, we recommend readers to Ref. jllj 

Theorem 1 // the re- encryption scheme is not secure in the sense of indistinguishability, then 
there exists a probabilistic polynomial-time Turing Machine (p.p.t. TM) that solves the decision 
Diffie-Hellman problem with overwhelming probability. 

Furthermore, it is proved that breaking decision D-H problem is almost as hard as computing 
discrete logarithms [12], while computing discrete logarithms is as hard as languages in NPC unless 
the polynomial hierarchy (PH) collapses to the second level |13j. 
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4. Commutative-like encryption 

Commutative-like encryption is a new notion presented in this paper, before giving the definition of 
commutative-like encryption, let us first check one property of the above re-encryption scheme. 

In the decryption scheme, we decrypt the re-encrypted ciphertext in a way corresponding to the 
order of encryption, however, we may apply a different order, details follow: 

• First round: The decryption algorithm, D A , on input (P,Q,g,x A ) and a ciphertext (01,02,03), 
outputs 

D A ((P,g,x A ),(c u c 2 ,c 3 )) = (c 2 ,c 3 (c^)" 1 (mod P)) 

Now let us see what we obtain after this round: from (01,02,03) = (g kA ( mod P),g kB ( mod P),my A kA y B kB ( mod 
P)) we come up with 02 = g ks (mod P) and 

c 3 (c^) _1 (mod P) = my k B B (mod P) 

Thus we end up with D A ((P, g, x A ), (ci, c 2 , c 3 )) = (2/1,2/2): where y[ = g ks (mod P) and y' 2 = 
myg B (mod P) using ElGamal scheme we could decrypt the ciphertext (yi,y 2 ) : 

• The decryption algorithm, D B , on input (P,Q,g,x B ) and a ciphertext (2/1,2/2)' outputs 

D B ((P,g,x B ), (2/1,2/2)) = 2/2(2/1" TVod P) 

Clearly, in both decryption schemes, we have the plaintext at the last step. This suggests 
a "commutative-like" characterization: the result of decryption does not relies on the order of 
decryptions, more specifically, in the scheme, let m be the plaintext and (ci, 02, 03) be the ciphertext, 
we have 

D A (D B (ci,c 2 ,c 3 )) = D B (D A (a,c 2 ,c 3 )) = m 

or equivalently, we have 

D B {D A {E B {E A {m)))) = m 

Largely due to the probabilistic nature, this encryption cannot be termed as commutative encryption, 
since the each ciphertext of the same plaintext would be different in different time with overwhelming 
probability, or say, (01,02,03) = E B (E A (m)) is not fixcd(in fact, the ciphertext is same unless the 
randomly chosen variables k\ , k 2 are fixed) . 

DEFINITION 4 (Commutative-like Encryption). A commutative-like encryption J- is a com- 
putable (in polynomial time) function f : Key Tx Dom J- — > Ran T , defined on finite computable 
domains, that satisfies all properties listed below. 

1. Commutative-like. For all e,e' S Key T we have 

fe' 1 ° fe 1 ° U °fe = I 

2. The inverse f~ x is is a deterministic process (i.e., every ciphertext maps only one plaintext, 
while a plaintext might map many ciphertext) and is also computable in polynomial-time given e. 

3. The distribution of {x, f e (x),y, f e (y)) is indistinguishable from the distribution of (x, f e (x),y, z), 
where x, y G r Dom T , z G r Ran T and e G r Key T . 

Informally, Property 1 says that when we compositely encrypt with two different keys, the result 
is the same irrespective of the order of decryption. Property 2 says that given an encrypted value 
f e {x) and the encryption key e, we can find x in polynomial time, and there is only one such x. 
Property 3 says that given a value x and its encryption f e (x) (but not the key e), for a new value y, 
we cannot distinguish between f e (y) and a random value z in polynomial time. Thus we can neither 
encrypt y nor decrypt f e (y) in polynomial time. Note that this property holds only if a; is a random 
value from Dom J 7 , i.e., the adversary does not control the choice of x. 

Now let us see how the encryption scheme fits the required properties. Obviously, the first and 
second properties comes directly from the algorithms, now we check the third property. Note that 
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if (x, f e (x),y, f e (y)) = { r m\,g kA ,m\g kAX ,m 2l g kB ,m 2 g kBX ) (where (mod P) is neglected) is distin- 
guishable from (mi, g kA ,mig kAX ,m 2 , zi, z 2 ) (zi,z 2 GRanJ 7 ), then (g kA , g kAX , g kB , g kBX ) is distin- 
guishable from the distribution of (g kA , g AX , g kB , z) where z G r Zq. the Decisional Diffie-Helhnan 
hypothesis (DDH) claims that for any generating 1) element g, the distribution of (g a ,g b ,g ab ) 
is indistinguishable from the distribution of (g a ,g b ,g c )- A 3-tuple (g a ,g b ,z) from the DDH can be 
reduced to our 4-tuplc (g kA , g kAX , g ks , z) by taking d GKeyJ 7 and making tuple (g d , (g a ) d , g b , z) . 
Now a plays the role of x, g d of g kA , and g b of g kB ; we test whether g ab or is random. Thus, given 
DDH, (g kA , g kAX , g kB , g kBX ) and {g kA , g kAX , g kB , z) are also indistinguishable, which contradicts our 
assumption. 

5. Application Instance 

Readers might wonder the real application of commutative-like encryption, and here we propose one 
possible application in oblivious transfer. Oblivious Transfer refers to a kind of two-party protocols 
where at the beginning of the protocol one party, the sender, has an input, and at the end of the 
protocol the other party, the receiver, learns some information about this input in a way that does 
not allow the sender to figure out what it has learned. Oblivious transfer is a fundamental primitive 
in the design and analysis of cryptographic protocols [HJ [15]. Our scheme is a 1-out-of-n oblivious 
transfer: the sender has n secrets mi, m 2l . . . , m n and is willing to disclose exactly one of them to 
the receiver at its choice. 

Now let us see how our protocol proceeds: 

• The sender encrypts every item using its key xa and gets E XA (mi), E XA (m 2 ), ■ ■ ■ , E XA (m n ). 
Then it reveals them to the receiver. 

• On receiving the ciphertexts, the receiver chooses exactly one of them, say, E XA (rrn)(l < i < 
n), and encrypts it to obtain E XB (E XA (m,i)) and tells it to the sender. 

• The sender decrypts it, gets D XA (E XB (E XA (rrii))) and sends it to the receiver. 

• The receiver obtains wi; by calculating D XB (D XA (E XB (E XA (mi)))). 

Instead of a formal proof, we explain how the protocol achieves its goal: according to the perfor- 
mance of commutative-like encryption, the receiver can get its desired message after interaction with 
the sender, i.e., D XB (D XA (E XB (E XA (m,i)))) = D XA (D XB (E XB (E XA (m i )))) = m u thus the protocol 
is correct. Furthermore, the receiver receives nothing other than m,: it can hardly deduce anything 
from the ciphertexts E XA (rrii)(l < i < n). As for the privacy of the receiver, the sender does not 
know the receiver's choice i: it does not suggest m, from E XB (E XA (rrii)). 

It should noted that by trivially perform the protocol m times, we would obtain an m-out-of-n 
oblivious transfer protocol. 

6. Conclusion 

In this paper, we define the notion of commutative-like encryption, which is a useful variation of 
commutative encryption. As an example, it is showed that the ElGamal scheme could be such a 
commutative-like scheme. Also, we discussed one possible application of commutative-like encryp- 
tion. 
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